2004.09.17 libpng assignment

libpng is software that, among other things,
reads PNG files and uncompresses them for display.
On 2004.08.04,
several security holes were announced in libpng.
The security holes were fixed in version 1.2.6.
(Some serious non-security-related bugs were added in the rush
and fixed in version 1.2.7.)
The following comments apply to version 1.2.5.
(All files;
libpng-1.2.5.tar.gz.)

The function png_handle_tRNS,
at line 1216 of
libpng-1.2.5/pngrutil.c,
defines an array readbuf of length PNG_MAX_PALETTE_LENGTH,
and writes to it by calling a function png_crc_read.

Question 1, due 2004.09.20:
Assume that libpng is used to read a PNG file
that was created by an attacker.
How can the attacker overflow the readbuf array?

Question 2, due 2004.09.22:
How can the attacker use this bug to modify user files
on a system with an executable stack?

Question 3, due 2004.09.24:
How can the attacker use this bug to modify user files
on a system with non-executable stack, non-executable heap, etc.?